SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Xen Vendors:   XenSource
Xen VMX Permission Check Flaw Lets Local Users on the Guest System to Cause the Host System to Crash
SecurityTracker Alert ID:  1029313
SecurityTracker URL:  http://securitytracker.com/id/1029313
CVE Reference:   CVE-2013-4551   (Links to External Site)
Date:  Nov 8 2013
Impact:   Denial of service via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.2.x, 4.3.x
Description:   A vulnerability was reported in Xen. A local user on the guest system can cause the host system to crash.

The system does not properly check permissions on emulation paths for VMLAUNCH and VMRESUME commands when nested virtualization is not enabled on the guest system. A local user on the guest system can cause the host system to crash.

HVM guests run on VMX capable hardware are affected.

Jeff Zimmerman reported this vulnerability.

Impact:   A local user on the HVM guest system can cause the host system to crash.
Solution:   The vendor has issued a fix (xsa75-4.2.patch, xsa75-4.3-unstable.patch).
Vendor URL:  www.xen.org/ (Links to External Site)
Cause:   State error
Underlying OS:   Linux (Any)

Message History:   None.


 Source Message Contents

Date:  Fri, 08 Nov 2013 16:21:13 +0000
Subject:  [oss-security] Xen Security Advisory 75 - Host crash due to guest VMX instruction execution

--=separator
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                  Xen Security Advisory XSA-75

           Host crash due to guest VMX instruction execution

ISSUE DESCRIPTION
=================

Permission checks on the emulation paths (intended for guests using
nested virtualization) for VMLAUNCH and VMRESUME were deferred too
much.  The hypervisor would try to use internal state which is not set
up unless nested virtualization is actually enabled for a guest.

IMPACT
======

A malicious or misbehaved HVM guest, including malicious or misbehaved user
mode code run in the guest, might be able to crash the host.

VULNERABLE SYSTEMS
==================

Xen 4.2.x and later are vulnerable.
Xen 4.1.x and earlier are not vulnerable.

Only HVM guests run on VMX capable (e.g. Intel) hardware can take
advantage of this vulnerability.

MITIGATION
==========

Running only PV guests, or running HVM guests on SVM capable
(e.g. AMD) hardware will avoid this issue.

Enabling nested virtualization for a HVM guest running on VMX capable
hardware would also allow avoiding the issue.  However this
functionality is still considered experimental, and is not covered by
security support from the Xen Project security team.  This approach is
therefore not recommended for use in production.

CREDITS
=======

This issue was discovered by Jeff Zimmerman.

NOTE REGARDING LACK OF EMBARGO
==============================

This issue was disclosed publicly on the xen-devel mailing list.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa75-4.3-unstable.patch    Xen 4.3.x, xen-unstable
xsa75-4.2.patch             Xen 4.2.x

$ sha256sum xsa75*.patch
0b2da4ede6507713c75e313ba468b1fd7110e5696974ab72e2135f41ee393a8b  xsa75-4.2.patch
91936421279fd2fa5321d9ed5a2b71fe76bc0e1348e67126e8b9cde0cb1d32b2  xsa75-4.3-unstable.patch
$
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQEcBAEBAgAGBQJSfQ8xAAoJEIP+FMlX6CvZ8JQIAMc9IH79JeoZPAe/Fvz8TrdF
FM7FkB/+sob4ybEFXnaSsK/7v7+A1e2qti/UVZfgcKEa8LG7aAIXFqsMXqErvME2
7D+r0Kt7QfvK5BvOygACCMsNV5muUTndVO8NUtHm8wDJk6yuSMWVnA/c3p+OSkH0
h63cfkrf9iYSYrPdCt4iO+/JKDVZl3bQAmHOFHvGTqsN7FMgOGexn+9RlNwWNmlU
jvMxPLmwaerwd85fqLwEjajWT1TJlqro5xx4darKp8pokY+DVEtV4MGHXgllHVym
t7g56Ph7YXPqTIJV4+PmrNQNwFPvsgBeFVyno3oa95IT4F55Fja0LiJUxREDHhU=
=AbJ0
-----END PGP SIGNATURE-----

--=separator
Content-Type: application/octet-stream; name="xsa75-4.2.patch"
Content-Disposition: attachment; filename="xsa75-4.2.patch"
Content-Transfer-Encoding: base64

bmVzdGVkIFZNWDogVk1MQU5VQ0gvVk1SRVNVTUUgZW11bGF0aW9uIG11c3Qg
Y2hlY2sgcGVybWlzc2lvbiBmaXJzdCB0aGluZwoKT3RoZXJ3aXNlIHVuaW5p
dGlhbGl6ZWQgZGF0YSBtYXkgYmUgdXNlZCwgbGVhZGluZyB0byBjcmFzaGVz
LgoKVGhpcyBpcyBYU0EtNzUuCgpSZXBvcnRlZC1hbmQtdGVzdGVkLWJ5OiBK
ZWZmIFppbW1lcm1hbiA8SmVmZl9aaW1tZXJtYW5ATWNBZmVlLmNvbT4KU2ln
bmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpS
ZXZpZXdlZC1hbmQtdGVzdGVkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcu
Y29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2h2bS92
bXgvdnZteC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vdm14L3Z2bXguYwpA
QCAtMTA3NSwxNSArMTA3NSwxMCBAQCBpbnQgbnZteF9oYW5kbGVfdm14b2Zm
KHN0cnVjdCBjcHVfdXNlcl9yCiAgICAgcmV0dXJuIFg4NkVNVUxfT0tBWTsK
IH0KIAotaW50IG52bXhfdm1yZXN1bWUoc3RydWN0IHZjcHUgKnYsIHN0cnVj
dCBjcHVfdXNlcl9yZWdzICpyZWdzKQorc3RhdGljIGludCBudm14X3ZtcmVz
dW1lKHN0cnVjdCB2Y3B1ICp2LCBzdHJ1Y3QgY3B1X3VzZXJfcmVncyAqcmVn
cykKIHsKICAgICBzdHJ1Y3QgbmVzdGVkdm14ICpudm14ID0gJnZjcHVfMl9u
dm14KHYpOwogICAgIHN0cnVjdCBuZXN0ZWR2Y3B1ICpudmNwdSA9ICZ2Y3B1
X25lc3RlZGh2bSh2KTsKLSAgICBpbnQgcmM7Ci0KLSAgICByYyA9IHZteF9p
bnN0X2NoZWNrX3ByaXZpbGVnZShyZWdzLCAwKTsKLSAgICBpZiAoIHJjICE9
IFg4NkVNVUxfT0tBWSApCi0gICAgICAgIHJldHVybiByYzsKIAogICAgIC8q
IGNoZWNrIFZNQ1MgaXMgdmFsaWQgYW5kIElPIEJJVE1BUCBpcyBzZXQgKi8K
ICAgICBpZiAoIChudmNwdS0+bnZfdnZtY3hhZGRyICE9IFZNQ1hfRUFERFIp
ICYmCkBAIC0xMTAwLDYgKzEwOTUsMTAgQEAgaW50IG52bXhfaGFuZGxlX3Zt
cmVzdW1lKHN0cnVjdCBjcHVfdXNlcgogewogICAgIGludCBsYXVuY2hlZDsK
ICAgICBzdHJ1Y3QgdmNwdSAqdiA9IGN1cnJlbnQ7CisgICAgaW50IHJjID0g
dm14X2luc3RfY2hlY2tfcHJpdmlsZWdlKHJlZ3MsIDApOworCisgICAgaWYg
KCByYyAhPSBYODZFTVVMX09LQVkgKQorICAgICAgICByZXR1cm4gcmM7CiAK
ICAgICBpZiAoIHZjcHVfbmVzdGVkaHZtKHYpLm52X3Z2bWN4YWRkciA9PSBW
TUNYX0VBRERSICkKICAgICB7CkBAIC0xMTE5LDggKzExMTgsMTEgQEAgaW50
IG52bXhfaGFuZGxlX3ZtcmVzdW1lKHN0cnVjdCBjcHVfdXNlcgogaW50IG52
bXhfaGFuZGxlX3ZtbGF1bmNoKHN0cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdz
KQogewogICAgIGludCBsYXVuY2hlZDsKLSAgICBpbnQgcmM7CiAgICAgc3Ry
dWN0IHZjcHUgKnYgPSBjdXJyZW50OworICAgIGludCByYyA9IHZteF9pbnN0
X2NoZWNrX3ByaXZpbGVnZShyZWdzLCAwKTsKKworICAgIGlmICggcmMgIT0g
WDg2RU1VTF9PS0FZICkKKyAgICAgICAgcmV0dXJuIHJjOwogCiAgICAgaWYg
KCB2Y3B1X25lc3RlZGh2bSh2KS5udl92dm1jeGFkZHIgPT0gVk1DWF9FQURE
UiApCiAgICAgewo=

--=separator
Content-Type: application/octet-stream; name="xsa75-4.3-unstable.patch"
Content-Disposition: attachment; filename="xsa75-4.3-unstable.patch"
Content-Transfer-Encoding: base64

bmVzdGVkIFZNWDogVk1MQU5VQ0gvVk1SRVNVTUUgZW11bGF0aW9uIG11c3Qg
Y2hlY2sgcGVybWlzc2lvbiBmaXJzdCB0aGluZwoKT3RoZXJ3aXNlIHVuaW5p
dGlhbGl6ZWQgZGF0YSBtYXkgYmUgdXNlZCwgbGVhZGluZyB0byBjcmFzaGVz
LgoKVGhpcyBpcyBYU0EtNzUuCgpSZXBvcnRlZC1hbmQtdGVzdGVkLWJ5OiBK
ZWZmIFppbW1lcm1hbiA8SmVmZl9aaW1tZXJtYW5ATWNBZmVlLmNvbT4KU2ln
bmVkLW9mZi1ieTogSmFuIEJldWxpY2ggPGpiZXVsaWNoQHN1c2UuY29tPgpS
ZXZpZXdlZC1hbmQtdGVzdGVkLWJ5OiBBbmRyZXcgQ29vcGVyIDxhbmRyZXcu
Y29vcGVyM0BjaXRyaXguY29tPgoKLS0tIGEveGVuL2FyY2gveDg2L2h2bS92
bXgvdnZteC5jCisrKyBiL3hlbi9hcmNoL3g4Ni9odm0vdm14L3Z2bXguYwpA
QCAtMTUwOSwxNSArMTUwOSwxMCBAQCBzdGF0aWMgdm9pZCBjbGVhcl92dm1j
c19sYXVuY2hlZChzdHJ1Y3QgCiAgICAgfQogfQogCi1pbnQgbnZteF92bXJl
c3VtZShzdHJ1Y3QgdmNwdSAqdiwgc3RydWN0IGNwdV91c2VyX3JlZ3MgKnJl
Z3MpCitzdGF0aWMgaW50IG52bXhfdm1yZXN1bWUoc3RydWN0IHZjcHUgKnYs
IHN0cnVjdCBjcHVfdXNlcl9yZWdzICpyZWdzKQogewogICAgIHN0cnVjdCBu
ZXN0ZWR2bXggKm52bXggPSAmdmNwdV8yX252bXgodik7CiAgICAgc3RydWN0
IG5lc3RlZHZjcHUgKm52Y3B1ID0gJnZjcHVfbmVzdGVkaHZtKHYpOwotICAg
IGludCByYzsKLQotICAgIHJjID0gdm14X2luc3RfY2hlY2tfcHJpdmlsZWdl
KHJlZ3MsIDApOwotICAgIGlmICggcmMgIT0gWDg2RU1VTF9PS0FZICkKLSAg
ICAgICAgcmV0dXJuIHJjOwogCiAgICAgLyogY2hlY2sgVk1DUyBpcyB2YWxp
ZCBhbmQgSU8gQklUTUFQIGlzIHNldCAqLwogICAgIGlmICggKG52Y3B1LT5u
dl92dm1jeGFkZHIgIT0gVk1DWF9FQUREUikgJiYKQEAgLTE1MzYsNiArMTUz
MSwxMCBAQCBpbnQgbnZteF9oYW5kbGVfdm1yZXN1bWUoc3RydWN0IGNwdV91
c2VyCiAgICAgc3RydWN0IHZjcHUgKnYgPSBjdXJyZW50OwogICAgIHN0cnVj
dCBuZXN0ZWR2Y3B1ICpudmNwdSA9ICZ2Y3B1X25lc3RlZGh2bSh2KTsKICAg
ICBzdHJ1Y3QgbmVzdGVkdm14ICpudm14ID0gJnZjcHVfMl9udm14KHYpOwor
ICAgIGludCByYyA9IHZteF9pbnN0X2NoZWNrX3ByaXZpbGVnZShyZWdzLCAw
KTsKKworICAgIGlmICggcmMgIT0gWDg2RU1VTF9PS0FZICkKKyAgICAgICAg
cmV0dXJuIHJjOwogCiAgICAgaWYgKCB2Y3B1X25lc3RlZGh2bSh2KS5udl92
dm1jeGFkZHIgPT0gVk1DWF9FQUREUiApCiAgICAgewpAQCAtMTU1NSwxMCAr
MTU1NCwxMyBAQCBpbnQgbnZteF9oYW5kbGVfdm1yZXN1bWUoc3RydWN0IGNw
dV91c2VyCiBpbnQgbnZteF9oYW5kbGVfdm1sYXVuY2goc3RydWN0IGNwdV91
c2VyX3JlZ3MgKnJlZ3MpCiB7CiAgICAgYm9vbF90IGxhdW5jaGVkOwotICAg
IGludCByYzsKICAgICBzdHJ1Y3QgdmNwdSAqdiA9IGN1cnJlbnQ7CiAgICAg
c3RydWN0IG5lc3RlZHZjcHUgKm52Y3B1ID0gJnZjcHVfbmVzdGVkaHZtKHYp
OwogICAgIHN0cnVjdCBuZXN0ZWR2bXggKm52bXggPSAmdmNwdV8yX252bXgo
dik7CisgICAgaW50IHJjID0gdm14X2luc3RfY2hlY2tfcHJpdmlsZWdlKHJl
Z3MsIDApOworCisgICAgaWYgKCByYyAhPSBYODZFTVVMX09LQVkgKQorICAg
ICAgICByZXR1cm4gcmM7CiAKICAgICBpZiAoIHZjcHVfbmVzdGVkaHZtKHYp
Lm52X3Z2bWN4YWRkciA9PSBWTUNYX0VBRERSICkKICAgICB7Cg==

--=separator--
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC